JWPlatt wrote:I've had the thought to alter the code to accept just one password on the CAPTCHA form regardless of the image presented. The instructions at the text box would be altered to say "Type 'human' here instead of the code you see." Spambots use the CAPTCHA image while real people type "human". I guess that wouldn't work on the human slave labor.

Actually, it probably would. It's unlikley that "human drones" would be asked to fill in all the fields of a registration form; they'd simply be asked to solve the CAPTCHA, which by your proposal would now be incorrect.

Lehm wrote:Instead of banning domains or CAPTCHA, I've seen another tactic that seems to work. The first two posts by a new user must be approved. this would still allow the spam bots to sign up, but this way anything that comes from a spam bot will be in a nice queue ready to be deleted. Rather than having to go around finding them. No matter what methods people try to get rid of spam bots they always find a way around the automatic filters.

Yeah, I think the default for phpBB3 on this is actually 3 posts, but it still means manually deleting posts and accounts for every spambot that registers, and if you're getting several per day then that becomes a pain, especially if you're trying to run a site "part-time". I'd rather stop them registering in the first place, if possible. The trick really is to make your registration form slightly unique; there are plenty of "stock" phpBB3 sites around, so it's unlikely that any spammer will find it worthwhile to code a workround specifically for your particular "oddity". Security through Obscurity. Of course, that doesn't protect you from a true human spammer or nuisance poster, but those are surprisingly rare, and Lehm's suggestion does work there. But I think JW is trying to get away from needing to approve every new signup?

That's right. A moderation queue is too much work and there is already a mechanism in place. Spambots are effectively blocked by the Members Usergroup requirement. That's the "oddity" here. There hasn't been a single spambot post. It's still about registration.

There are currently about five spambot registrations per day. I assume with that few many might be failing CAPTCHA. I do have it turned up to be harder from the default. Far fewer registrations get successfully validated which I assume to mean most don't use good email addresses, or at least don't do a good job of using the validation emails, or validation emails get flagged as spam somewhere and aren't delivered (one hopes for poetic justice).

By the way, it's actually more work to go back to admin validation than it is to delete unvalidated accounts. You either have to rubber stamp them anyway or do research on each unfamiliar name. I tried looking at other community sites to verify names, but quickly realized it's better to give people a week to validate than make bad guesses on what's an honest registration and perhaps delete an innocent account.

JWPlatt wrote:There are currently about five spambot registrations per day. I assume with that few many might be failing CAPTCHA. I do have it turned up to be harder from the default. Far fewer registrations get successfully validated which I assume to mean most don't use good email addresses, or at least don't do a good job of using the validation emails, or validation emails get flagged as spam somewhere and aren't delivered (one hopes for poetic justice).

I dunno JW. My server logs show between 3 and 6 attempted spambot registrations every day - how many bot visits you get may depend on how many other sites link to you, but I suspect the CAPTCHA isn't stopping very many. Before I modded my forum registration page, at least some were getting through with the CAPTCHA X and Y noise turned up to around 9. I'm now back at 19, and no spambots are managing to register. Some bots realise their registration didn't take and give up right away, others blindly continue trying to post. If they think they've registered, then those IPs keep reappearing in my logs.

By checking the server logs (bots are easy to spot because of certain characteristics in their behaviour), I can find the hosting services that are persistent offenders (KeyWeb aka KeyMachine aka Internet Service Team, Dragonara Alliance, Limit SureHost, VDHost, Panama Server, etc.) and block them at the site level - this has the effect of reducing the spurious traffic and the load on the server. Even then it's amazing how many bots are too stupid to understand 403 "Denied".

Another thing I see in the logs are attempts by various IPs (again mostly hosting services) to run cross-site scripting exploits. I've also had a couple of nuisance registrations on my wiki, not spam, just gibberish postings, but that was before I turned on the e-mail validation. I haven't needed to do any more than that so far.

Given the recent problems that GoMa had with their site being hacked, I'd strongly advocate against moving towards shared authorisation between applications (forum, wiki, mantis) as an exploit of one could expose admin credentials for all the others. It's not that big a pain to have separate logins as we do just now.

Sorry, this has kind of drifted into a general discussion on website security.

You've got to be kidding about banning Gmail. Nobody in their right minds would do that, honestly.

Here are some other things I've thought of, after reading this quote.

JWPlatt wrote:I've had the thought to alter the code to accept just one password on the CAPTCHA form regardless of the image presented. The instructions at the text box would be altered to say "Type 'human' here instead of the code you see." Spambots use the CAPTCHA image while real people type "human". I guess that wouldn't work on the human slave labor.

On some blogs, I've seen systems that display messages like the following above a box (I made this one up as an example):

"Enter the result of adding 5 and 6 into the box, and ignore 3, 15, and 90, which only spambots would care about."

I've also seen things like this:

"5, 7, X, Q, v, 3, n: Enter only the odd numbers and the lowercase letters into the box."

I forget the system's URL, but there's a system that requires the user to match numbered textual list items with pictures. Example:

To prevent automated registration, type the number of each item into the box below its picture.

1. horse
2. leaf
3. sky
4. flower

[picture of sky]
[picture of flower]
[picture of horse]
[picture of leaf]

The system has a fairly large image gallery, if I recall correctly, and the images and list change (i.e., it's not the same thing every time).

ZangieF wrote:I forget the system's URL, but there's a system that requires the user to match numbered textual list items with pictures.

Yeah, there was a Mod for phpBB2 that worked something like that. There was another that showed a grid of pictures (5 x 4, I think) with checkboxes under each and you got a question like "Mark the pictures of dogs". In both cases I think you could supply your own images. These weren't particularly simple mods to install though and the latter one took up a lot of space on the form, making it a bit off-putting. I don't know if there are phpBB3 equivalents.

I use BB on my WordPress install (as an adjunct to Defensio - which may also have phpBB links, haven't checked yet) as a complete replacement to captcha (which I hate with a passion - they're at the point where my nearsighted eyes have problems looking at them). Very good IMHO, enough to make me send him a donation.

As to banning gmail, I can see why; Its free, so was only a matter of time really. Just surprised it took so long...

I started to prepare email accounts at my hosted domain, so I can get around that possibility. gmail can still send as those users - I already configured it to send as one of my ATT Worldnet accounts - so its not all bad.

I didn't recognise it at first but after a bit of browsing round that site I realised that I'd looked at Bad Behaviour about a year ago, it looked interesting but I ended up not downloading it for some reason.

Looking at it again, the phpBB2 install instruction is referred out to PhSoftware.de but the notes there haven't been upated in over two years and relate only to phpBB2 meaning that the integration would need to be worked out from scratch .

As I typed that , I was suddenly had one of those deja vu moments: I'm sure I typed almost those exact words on another forum a long time ago. Maybe the last time I looked at BB